Cyber Resilience

CVE-2026-4818

Medium

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0019 8.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4818 is a medium-severity Improper Authorization (CWE-285) vulnerability in Search-Guard Flx. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4818 is an authorization bypass vulnerability affecting Search Guard FLX versions from 3.0.0 up to 4.0.1. The flaw, tied to CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization), enables users lacking required privileges to perform certain management operations on data streams. It carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating medium severity with network accessibility, high attack complexity, low privileges required, and significant impacts on confidentiality and integrity but no availability disruption.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network, though it requires high complexity preconditions (AC:H). Successful exploitation allows unauthorized execution of management operations against data streams, potentially leading to high confidentiality and integrity violations, such as unauthorized data access or modification.

Mitigation details are outlined in the Search Guard advisories, including the changelog for version 4.1.0 at https://docs.search-guard.com/latest/changelog-searchguard-flx-4_1_0 and the CVE advisory at https://search-guard.com/cve-advisory/. Practitioners should upgrade to Search Guard FLX 4.1.0 or later to address the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass (CWE-285/862) in network-accessible Search Guard allows low-priv authenticated users to execute privileged management operations on data streams, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190) with C/I impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33950Shared CWE-285, CWE-862
CVE-2025-2110Shared CWE-862
CVE-2026-39432Shared CWE-862
CVE-2026-22683Shared CWE-862
CVE-2025-26683Shared CWE-285
CVE-2022-45830Shared CWE-862
CVE-2025-6754Shared CWE-862
CVE-2025-21611Shared CWE-285
CVE-2025-29926Shared CWE-285, CWE-862
CVE-2026-2001Shared CWE-862

Affected Assets

search-guard
flx
3.0.0 — 4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for logical access to system resources, directly preventing unauthorized management operations on data streams due to the authorization bypass.

prevent

Mandates least privilege to restrict users to only necessary accesses, limiting the potential impact and scope of exploitation by low-privilege attackers.

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching to Search Guard FLX 4.1.0 or later.

References